The Final Audit – Regulatory

Part 5 in our 5-part series:

In the final blog post in our 5-part series about audits in the food processing industry, we are discussing the most difficult of them all – Regulatory Audits. So far, we’ve discussed Internal Audits, Second Party Audits, and Third Party Audits. Those all focus mainly on safety and quality for customer-supplier interactions. Regulatory Audits, however, serve another purpose: to ensure compliance with regulatory requirements.board certified entomologist

The food industry is one of the most regulated industries in the U.S. Being ready for an audit like this takes expertise. Luckily, we have a Board Certified entomologist who is also a Certified Supplier Quality Auditor, Advanced SQF Practitioner, and PCQI. So, we sat down with Shannon Sked to discuss Regulatory Audits.

Q: Shannon, it seems like we have been talking audits for months! Thanks so much for giving us your time to discuss this one, too. So, tell us – what is a Regulatory Audit?

A: A Regulatory Audit is any document/physical inspection and verification process that evaluates the compliance features of a company’s Food Safety Plan to regulatory requirements. These are the most binary, “yes/no”, audits where features of the programs either comply or do not. Unlike all other audits (first, second, third party), these are not done between businesses but between a company being audited and a regulatory body with authority to oversee compliance. Under the Food Safety Modernization Act (FSMA), the FDA carries out Regulatory Audits. And under FSMA, FDA has been given much stronger authority than it ever had before (including pulling registrations, issuing emergency recalls, etc. without necessarily needing a court order or injunction). However, there are others. Companies that work with dairy or meats are subject to USDA inspections. Local authorities might have general safety inspections that can include aspects of food safety. The list goes on. However, the two that are often the focus of companies are FDA audits and USDA inspections.

A main difference between these Regulatory Audits and the other audits we’ve discussed is that these can have civil and criminal legal implications as well as business implications. If you fail an Internal Audit, the company will implement corrective actions to address gaps in the programs; but this is internal so the implications aren’t punitive. Rather, they are restorative or corrective. Second party audits can have significant business implications, especially if your Food Safety Plans and Food Quality Plans do not meet your customer’s requirements for Supplier Verification Programs or if your standards don’t meet the contractual obligations in particular. Third Party Audits can also have business implications if your customers have a certification expectation. Additionally, poor results in a Third Party Audit can have reputation and brand implications. However, Regulatory Audits can lead to punitive action, regulatory action (including operational stoppage, detentions, etc.), and business implications (brand impact in particular).

Q: As usual, excellent info. Can a business in the food processing industry be ready for a Regulatory Audit?

A: This is a complicated question (as simple as it may seem on the surface). For the USDA inspections, there is a history between the USDA and the markets they regulate, including much more frequent inspections. So, while stringent in their standards, the standards themselves are often much better understood than FSMA requirements. FSMA is regulated by the FDA, which doesn’t have these same attributes in most cases. Additionally, it’s a new set of regulations that had sweeping changes to the way that we look at food safety today (again, preventive now vs. prescriptive).

In 2016, the FSMA rules were finally being rolled out with a tiered approach of adoption by the industry based on company sizes. Today, we have several rules passed and implemented. When FSMA was first rolling out the rules, Third Party Audit schematics were being compared (e.g. “Leavitt Partners White Paper”). One thing was very clear: the FDA was not going to consider a Third Party Audit schematic an “automatic pass” to FDA audits. In response, many of the auditing third party organizations began conducting a gap analysis, reviewing where/how their schematics meet or miss the requirements of FSMA. The result of that initiative was updates to many of the schematics. While none of them would be considered again, a “free pass” on compliance to FSMA during FDA inspections, it certainly has helped with bringing companies in compliance. Therefore, my first suggestion to any company would be to ensure that your Food Safety Plan is audited by a third party auditing organization. While this might not get a company into complete compliance in itself, these audit schematics are helpful in getting facilities into compliance with most of the FSMA requirements. It also helps to bring about a culture of food safety, by and large (and in my opinion), the most important aspect of compliance.

Q: And last question. It may be a loaded one, but here goes. Is this the last kind of audit a business in food processing can expect to come?

A: So we have reviewed 4 large buckets of audit types:

  1. First Party (typically internal) audits
  2. Second Party (typically customer) audits
  3. Third Party (independent certification) audits
  4. Regulatory (mostly USDA and FDA) audits

Nearly all audits that I can think of fit into one of these buckets. There are various versions of audits out there; a nearly ad-infinitum plethora! However, in some way they fit into one of these four buckets. For example, at Western, we conduct a Pest Prevention Pre-requisite audit where we conduct a document review and physical plant inspection (typically a one day on-site) audit. We review our QA Logbook, sanitation records, facilities maintenance reports, and other documents that either directly contribute to pest prevention or are tangential to the program. We then inspect the plant looking at various programs, again that either directly contribute to pest prevention or are tangential to it. Programs include Pest Prevention, Sanitation, Facilities Maintenance, Capital Improvement Planning/Facilities Development, Management Buy-in, Training and Certification, etc. While comprehensive, this is not a full Food Safety audit. So where does this fit? We are not a customer. Although contracted, we’re not in-house staff. We’re certainly not a third-party certified body, although we look closely at these standards based on a facility’s certification. And, we are not the FDA or USDA. Still, I put our audits in the First Party/Internal audits bucket. The information is confidential with our customers, is only given to professionals within that company, and is designed as a consultative effort to prepare our customer for Third Party and Regulatory Audits.

The other thing to consider, which is critically important to stress-test a company’s food safety culture, is the working interaction between these four types of audits. Are First Party Audit reports creating corrective action programs that are closing gaps that otherwise would be found in Second Party, Third Party, or Regulatory Audits? Are some of the results of Second Party Audits being used to direct future First Party Audits or to create Food Safety Improvements for Third Party and Regulatory Audits? Are consultative efforts in preparation for Third Party Audits doing the same? And are Regulatory Audits being used to focus on gap analysis (root cause) and corrective action planning for the other 3 audits as well? Chances are, if your company can answer yes to all of these questions, you likely have a culture of Food Safety! But never forget to incorporate this with the vendors you hire as well. They are just as important for good audit results as in-house staff, whether they are your sanitation company, pest control company, building contractors, etc. The culture of Food Safety should be shot through all aspects of your plant’s operations. If it is, you are well on your way to having happy audits!

As usual, this was not only informative but essential to know. The consequences of any food processing audit can vary from inconvenient to deadly for the business. Knowing everything you can about them is the best way to be “always audit ready.”